Jump to content
Welcome to our new Citrix community!

CITRIX ADC - Radius group extraction


Recommended Posts

Hi, 

 

We are using Aruba Clearpass as a Radius server. 

We have configured the Radius server under System/ authentication/ Basics policies / Radius /Servers 

We also have configured a user administration group called "GroupTestSuperuser" which  allowed cli and API and binded the superuser Command policy. 

We want the clearpass to send a radius attribute to the Citrix-ADC which will match the "GroupTestSuperuser" when authentication is successful. 

We can see that the authentication is fine but the autorisation is not working 

 

 

May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default AAA Message 14311 0 :  "(0-0) send_authenticate_pdu: Sending Preamble"
May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default AAA Message 14312 0 :  "In update_aaa_cntr: Succeeded policy for user admin-no = clearpass"
May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default GUI CMD_EXECUTED 14315 0 :  User admin-no - Remote_ip 10.143.0.126 - Command "login admin-no "********"" - Status "Success"
May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default GUI CMD_EXECUTED 14317 0 :  User admin-no - Remote_ip 10.143.0.126 - Command "show system user admin-no" - Status "ERROR: Not authorized to execute this command"
May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default GUI CMD_EXECUTED 14319 0 :  User admin-no - Remote_ip 10.143.0.126 - Command "show system user admin-no" - Status "ERROR: Not authorized to execute this command"
May 14 16:08:30 <local0.info> 172.24.7.114 05/14/2020:14:08:30 GMT ast-adc-pr-01 0-PPE-0 : default GUI CMD_EXECUTED 14321 0 :  User admin-no - Remote_ip 10.143.0.126 - Command "show ns license" - Status "ERROR: Not authorized to execute this command"
 

 

What is the Radius attribute that needs to be sent to the ADC so that there is a match betzeen the group and the radius attribute send by the Clearpass ? 

 

Thanks. 

 

Nicolas. 

 

Link to comment
Share on other sites

In addition to Carl's post, did you also define the radius group on the citrix adc exactly as the readius group is named and assign your session/authorization policies to it? (depending on whether we are talking about aaa group or system group).  The group name on the adc has to match the group retrieved from the user membership via radius (or ad) and policies have to be applied to the group on the adc.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...